There's little disagreement that the circumstances of the new coronavirus - a wildly contagious pathogen that can rip through communities and leave health systems overwhelmed - merits the use of all tools available. But the crisis also brings new privacy questions, such as how location data should be protected, who has access to it, how data can be de-identified and how long it should be retained.

Patrick Fair

Australia already has two years of location data for everyone's phone. Five years ago, Parliament amended the Telecommunications (Interception and Access) Act 1979. The amendment requires ISPs and telecommunication providers to retain location data, along with a record of phone call and email metadata.

No laws would likely need to be changed to use that data for virus tracking, says Patrick Fair, principal at Patrick Fair Associates and an adjunct professor at Deakin University. The government has broad powers already, including under the federal government's Biosecurity Act, and state laws such as New South Wales' Public Health Act.

But Fair cautions there are big privacy issues, including the potential for creating a consolidated, individualized tracking system that could be repurposed. There's also a risk that due to the urgent public health risk, proper oversight and controls won't put in place beforehand, he says.

App of Interest: Singapore

Australia is conscious of the risks of using data in new ways during this health crisis. In response, the Office of the Australian Information Commissioner, which oversees privacy laws, on March 27 created a special team to safeguard personal information amid the pandemic.

The National COVID-19 Privacy Team is an eight-person panel that includes federal Information Commissioner Angelene Falk and the privacy and information commissioners from the six states and Northern Territory.

A goal of the OAIC is to help organizations manage privacy assessments in a rapidly changing environment, including at
workplaces and within the government. That could include reviewing potential ideas for contact tracing systems. Other countries, including China, Taiwan, Israel, South Korea and Singapore, have those in place. One of those systems is showing strong interest in Australia.

Singapore's TraceTogether app exchanges between users anonymized IDs, which are encrypted locally and used if someone tests positive for coronavirus.

TraceTogether uses Bluetooth to record individual's movements relative to other people. It doesn't collect GPS data, and phones in proximity to one another exchange random identifiers, which are encrypted locally. If someone tests positive for coronavirus, they voluntarily submit their recent location data, and alerts go out to people with which they've crossed paths.

The system has many strong privacy features but isn't perfect, according to an analysis by researchers at Macquarie University and the University of Melbourne. The system doesn't get the data for users who have not been infected or been close to someone who has. But there is still the possibility that a central authority could obtain data logs for large numbers of people, they write.

"We must not ignore privacy concerns and implications of TraceTogether or similar apps that may be rolled out in Australia," the researchers write. "While many of the legal considerations could be relaxed at the discretion of enforcement authorities during times of crisis such as the current public health emergency, privacy issues could markedly hinder the adoption of these mobile apps."

There are a variety of other projects aimed at creating a contacts-tracing system with privacy-by-design principles, including Safe Paths from MIT and Covid Watch. Also, a document has been compiled by Covid Watch and Stop Covid Tech outlining best practices developers should keep in mind when developing contact-tracing apps.

Plus, researchers at Boston University have written a research paper that proposes creating a smartphone app that uses short-range transmission technologies that can inform users if they have been in close proximity to a person infected with COVID-19 - while maintaining privacy.

Digital System Adoption

Whether Australia is culturally ready for a sweeping contacts tracing system is questionable. At times, the government has struggled with pushing adoption of digital systems.

The government's roll out of digital health records, called the My Health Record, stalled after few Australians opted into the program. The government then shifted position, automatically creating digital records for everyone. It led to a public relations disaster following criticism of privacy and security controls.

Contacts tracing is extremely sensitive since it hinges on location data, which in a raw form is nearly impossible to anonymize. It reveals where people work, where they shop and where they go at night.

A contacts system that allows people to voluntarily participate might only result in a patchy data set, which could undermine its usefulness, says Melanie Marks, principal of the Sydney-based privacy and cybersecurity consultancy elevenM.

At the same time, if the government mandates use of a location-tracing app, there's a risk of a backlash and worries about creating a surveillance state, says Susan Bennett, executive director of Information Governance ANZ.

Susan Bennett

"It's much better if you can get people to voluntarily do things," Bennett says. "You need to get a majority of people taking it up to get the benefits of it. This goes to the core of our democratic and civil liberties and what sort of society we want to live in."

Marks says that a contacts tracing system would need several characteristics, including starting on a de-identified basis. If people need to be identified, a strong policy framework would need to be required that dictates only under specific circumstances someone could be identified.

That's in contrast to designing a system where the whole population's whereabouts for the last few months could simply be seen, she says.

Creeping Scope

Another question is how long such a program should remain in place. Marks says the parameters of determining when a program ends that hinges on an unpredictable pandemic would be difficult.

"What are the triggers for winding back a free flow of information that we've enabled?" Mark says. "Those windback measures are just as important in the policy framework."

The risk is that such a system proves so useful that it could be repurposed, Fair says. The situation could mark a sea change in the way that liberal democracies use data, he adds.

"When [a contacts tracing system] demonstrates that it can save lives and money, other arguments for other purposes that it can save us lives and money will be more attractive," Fair says. "This will be the test case."

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.